01/18/2019

Attackers Using “Love You” Malspam To Infect Recipients with Ransomware and Other Malware

by David Bisson

Digital attackers are using “Love You” malspam emails to infect unsuspecting recipients with ransomware and other malware.

On 8 January 2019, SANS Internet Storm Center (ISC) handler Brad Duncan came across a new malspam campaign. Its attack emails arrived with subject lines like “My love letter for you,” “Wrote the fantasy about us down” and “Always thinking about you.” They also came with zip archive attachments whose names all started with “Love_you_,” hence the name for the malicious spam operation.

When opened, those attachments revealed an obfuscated JS file. Most of these attachments were just a few dozen kilobytes in size. Some were even smaller, as Duncan explains in a blog post:

Attachments in malspam from my infected lab host were approximately 1.3 kB, which is much considerably smaller than the 43 to 46 kB attachments I found through VirusTotal. However, these smaller .js files generated the same infection traffic as the larger ones. The larger .js files had more obfuscation for the same functions.

Double-clicking either the small or large .js file yielded the same result: a PowerShell command that returned “krablin.exe” as the initial EXE. Upon execution, krablin.exe copied itself to %UserProfile%\[number]\winsvcs.exe. It then attempted to download five malware samples.

These threats included the following:

XMRig cryptocurrency miner: XMRig is an open-source tool that mines for Monero. As reported by Security Intelligence, the standard XMRig tool sends five percent of the mined coins to the author’s wallet address. But bad actors have created a malicious version of the utility with this code element removed so that they can collect all of the profits. That said, many bad actors are enthusiastic in their efforts. Researchers detected one XMRig campaign using 250 unique Windows-based executables, for example.

GandCrab ransomware: This family of crypto-malware first emerged in February 2018, per Bitdefender’s findings. Shortly thereafter, digital criminals began incorporating the ransomware into their attack campaigns. They did so partly because GandCrab allows bad actors to create custom ransom notes for each victim. Ransom notes have ranged in value from $600 to $700,000 as of this writing. Fortunately, Bitdefender took note of these attacks and responded by developing the Bitdefender GandCrab Ransomware Recovery Tool that can decrypt files infected by certain versions of GandCrab.

The “krablin.exe” file also converted Duncan’s infected host into a spambot for the Phorpiex botnet, a digital threat which has a history of distributing GandCrab along with other malware.

This isn’t the first time that digital attackers have abused love-themed spam messages to prey upon unsuspecting users. For instance, in February 2018, IBM X-Force observed a massive spam campaign in which the Necurs botnet sent out over 230 million messages within just a month. All of these spam emails delivered what appeared to be short messages written by Russian women living in the United States who claimed to have profiles on Facebook or Badoo, the third most-popular dating app in Russia. Subsequently, the fake women asked recipients to write them back through a provided email address. Attackers could then have used those communication channels to ask for money or to infect recipients’ computers with malware.

Other “spray & pray” campaigns have offered beauty makeovers and discounts on adult items in anticipation of Valentine’s Day. Most of these operations trick users into paying for goods that are defective in nature or that simply never arrive.

Given such a variety of attacks, it’s important that organizations protect themselves against malspam campaigns in general. They should do so by investing in a solution that can analyze suspicious emails based upon their IP addresses, URLs, phrases, patterns and malware signatures/behavior. With this multi-layered defensive strategy, for instance, Zix was able to block 100 percent of the “Love You” spam messages sent out in the campaign described above.